Finding Text
2025-003 — IT – Material Weakness in Internal Control Over Compliance and Noncompliance (Repeat of Finding 2024-002, 2023-003) Federal program information: Funding agencies: U.S. Department of Interior and U.S. Department of Education Titles: Assistance to Tribally Controlled Community Colleges; Higher Education Institutional Aid; and SFA Cluster ALN Number: 15.027, 84.031, 84.063 and 84.007 Award years: Various Criteria: Without strong information technology internal controls and established policies and procedures, there is the potential for integrity of financial records, the confidentiality, integrity and/or availability of data to be compromised. This compromise could be by an internal user of the system, by an external source (hacker) and could be intentional or unintentional. Condition: The College’s IT control environment is lacking certain key controls. For the majority of the audit period there were no formalized IT policies and procedures, sufficient data backup processes, or a formalized disaster recovery plan. IT controls are not in place to ensure nonauthorized individuals are restricted from adding new vendors, recording journal entries, and making/or changes to employee pay records. The College began implementing new policies and procedures in May of 2025. Questioned Costs: None. Cause: The IT controls have not been properly designed and implemented. Effect: The College is exposed to many risks regarding the integrity of the financial records, confidentiality, integrity, and/or availability of its data. It is possible that their data could be compromised. Compromise could be by an internal user of the system, by an external source (hacker) and could be intentional or unintentional. Auditor’s Recommendations: Establishing IT controls, policies and procedures, off-site electronic data backups, and a disaster recovery plan would better prepare the College for technology related issues, system crashes, or data breaches. Management’s Response: The College concurs with the finding, and the following IT and DATA governance policies have been implemented as of 2-26-26. 1. Data Privacy Statement 2. Institutional Data Governance Policy 3. IT Acceptable Use Policy Additionally, data backup processes have been implemented, and a Disaster Recovery Plan is being developed.